What will change for WhatsApp users with the introduction of the new end-to-end encryption mechanism?

What will change for WhatsApp users with the introduction of the new end-to-end encryption mechanism?

For those adept of the electronic communications services offered by WhatsApp, some recent changes implemented by the platform in a global scale may bring new challenges to Law and to the development of the instant messaging application sector. On the 5th of April, the company activated an end-to-end encryption mechanism for all its users. In practical terms, this system causes every content exchanged through the application to be available only to the sender and receiver. Additionally, the content of communications intermediated by the platform no longer remain on WhatsApp servers, in such a manner that the company is incapable of “unlocking” the content of messages, since the keys remain with users only.How does this work in the realm of data? Based on the so called “public key encryption” or “assymetric encryption”. In order to send a message to user B, user A asks WhatsApp for a public key, which is also valid for user B. User A, then, uses that key to encrypt (or “lock”) the message sent. User B, in its turn, decrypts (or “unlocks”) the message with its own private key, which only works on its own smartphone. Therefore, the content may be accessed only by A or B, without interference of the platform.

Fonte: Wired.com

Through the “end-to-end” encryption technology, not even WhatsApp has access to information exchanged between its users. It is estimated that said information is created and shared by nearly a billion people worldwide. Other big tech companies, such as Apple and Google, are following the same path. The undeniable advances in privacy and data protection structures, however, tend to translate into a huge obstacle for criminal investigations. The global offensive by police authorities against encryption technologies has developed on many fronts. In France, for instance, the usage of encrypted applications for the planning of criminal acts during the recent terrorist strikes in Paris has been pointed. In the United States, the Department of Justice began proceedings against Apple seeking to obtain data from suspects of terrorism, on par with FBI attacks in cases in which the true protagonist is an object: a blocked iPhone. In Brazil, a Facebook executive was arrested due to the alleged technical impossibility by WhatsApp to provide for authorities the content of users, supposedly drug dealers. In practice, it can be noted, these actions sought a practical result: breach of confidentiality of personal data and communications between users of the platform.

It is known that the interests of these companies is legitimate and widely defended in administrative and judicial proceedings, and even in relation to public opinion. In many cases, these proceedings question the informational business model, to which the access to user data is central. On the WhatsApp case, the official reasoning is ideological in nature and has as an ulterior motive the privacy of users. According to the company’s website, “Privacy and security are in our DNA. That is why we have adopted end-to-end encryption on the last versions of our app. On end-to-end encryption, your messages, pictures, videos, voice messages, documents and calls are guaranteed not to fall on wrong hands.”

On the Brazilian legal system, there are no laws or regulations that rule over data encryption on instant messaging applications and similar services. Article 10 of the Marco Civil da Internet (Law 12.965/2014) binds storage of access logs, personal data and content of private communications in Internet applications to compliance with “the preservation of intimacy, private life, honor and image of parts directly or indirectly involved”. Companies such as Google, Facebook, WhatsApp, Telegram, Viber could only be forced to make access logs and other user identification information available through a court order. That is so because the legislator sought to assure core values of the Information Society for the treatment of emerging legal relations with access to the Internet and user protection: i) Inviolability of intimacy and private life; ii) inviolability and confidentiality of communication flows through the network; iii) inviolability and confidentiality of stored private communications.

On the established legal framework, the Marco Civil rules that the breach of confidentiality controlled by the application provider must be subject to jurisdictional control and to legal requisition proceedings, as determined by articles 10 and 22. In face of that, providers may only be compelled to provide data under court orders, by strict compliance of criteria established by law. That is so because providing this data would result in breach of the confidentiality of communications, private or through the Internet. In relation to the powers of administrative authorities for the obtaining of confidential data of Internet users, without the need for a court order, Article 10, § 3º of the Marco Civil admits only a single permission for direct administrative requisition of data through administrative ways. However, this data pertain to user registration information on a certain service or application.

Under the Rule of Law, compliance with the institutional guarantee to confidentiality of communications requires an adequate balancing of interests: the individual’s, the society’s, and the public interest’s. In line with an accurate opinion by Tercio Sampaio Ferraz Jr., situations in which the Constitution guarantees confidentiality, the weighting requires courts to be able to distinguish between a breach that threatens the right to privacy, in its object, in relation to other objects of other rights also protected by said confidentiality. It would always be an interpretative task to question the exact measure and limitations through which judicial and administrative organs may exercise their authorities on what concerns provisions X and XII of the 5th Article of the Constitution.

Both privacy as well as confidentiality of data are ruling principles of the most basic interactions under citizenship and republican base of the Rechstaat, established on Justice, integrity, separation of powers, promotion of Human Rights and the empowerment of civil society. The State, in its turn, could not be barred from exercising its police power and its ruling power. Confidentiality has to do with the safety of users themselves and excludes, from the will of part of the society and of the State, the power to access personal data under the control of providers.

In any way, there’s a limitation to the authorization conceded by the Marco Civil, considering Internet companies are not obliged to keep information useful to criminal investigations. Encryption wouldn’t act, in our opinion, as hindrance to investigations – and, therefore, be taken as ilegal for, on first sight, creating obstacles to the exercise of police power or criminal prosecution. As we know, if on one hand the confidentiality is a condition to the fundamental right to privacy, on another, the Federal Constitution on its 5th Article, XII, stresses criminal investigation or procedural instructions as possible limitations to the confidentiality of communications. The fact that end-to-end encryption makes it technically impossible for data requested in criminal investigations to be made available is not illegal per se.

As a conclusion: How has International Law captured the reality of data encryption that circulate on a daily basis between smartphone applications? The answer seems to lie more on the observations regarding the behaviour of Internet companies on a transnational scale. Apps developed by Google, Facebook, Apple and etc are conceived based on their own safety and privacy standards, which in turn inform a private framework for normative treatment of user data. It justifies the reasoning and claims in favor of the so called Lex Informatica. It is undeniable that such a framework counts with their own institutions and subjects, but is not bound to any State legal system. Still, users, civil society and States are bound to constitutions and treaties.

About the author

Fabrício Bertini Pasquot Polido

Founder and Scientific Advisor of the Institute for Research on Internet & Society. Tenured Professor of Private International Law, International Intellectual Property Law, Internet Law and Comparative Law at the Federal University of Minas Gerais’ School of Law. Prof. Polido holds a Doctor in Law degree in International Law, University of São Paulo School of Law (USP, 2010) and LL.M. in International Intellectual Property Law (University of Turin, 2007). He was Visiting Researcher at the Max-Planck Institute for Comparative and International Private Law in Hamburg. Member of the Private International Law and Intellectual Property Committee, International Law Association (ILA), of the International Economic Law Society and of the American Association for International Private Law. Head of the Study Group on Internet, Innovation and Intellectual Property of the Federal University of Minas Gerais (GNET).